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LISTING OF THE CLAIMS 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

I- 8. (Cancelled) 

II- 27. (Cancelled) 

28. (Previously Presented) A method of automatically obtaining a second certificate for a user in 
a Public Key Infrastructure (PKI) enterprise using a first certificate, the method comprising: 

accessing a registration server using a user's server and the first certificate of the user to 
create a connection that authenticates both the user's server identity via a server certificate of the 
user server and the user's identity via the user's first certificate; 

creating a secure data channel between the registration server and the user server; 

forwarding a request for the second certificate from the user server to the registration 

server; 

determining in the registration server that the user is entitled to the second certificate by 
ensuring that the user is still a member of the PKI enterprise and ensuring that the user does not 
already have the second certificate; 

forwarding a request from the registration server to an authority to generate a 
private/public key pair; 

sending the private key to the user from the authority via the secure data channel; 

sending the public key from the authority to another authority to be signed; and 

forwarding the second certificate from the another authority to a directory. 

29. (Previously Presented) The method of claim 28, fiirther comprising sending a backup copy 
of the private key from the authority to a key recovery authority. 
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30. (Previously Presented) The method of claim 28, wherein the first certificate comprises a 
signature certificate. 

3 1 . (Previously Presented) The method of claim 28, wherein the second certificate comprises an 
encryption certificate. 

32. (Previously Presented) The method of claim 28, wherein the first certificate comprises an 
expiring signature certificate and the second certificate comprises a replacement signature 
certificate. 

33. (Previously Presented) The method of claim 28, wherein the first certificate comprises a 
signature certificate and the second certificate comprises a replacement encryption certificate. 

34. (Previously Presented) The method of claim 28, wherein the first certificate comprises a 
signature certificate and the second certificate comprises one of either the user's current 
encryption certificate or an expired encryption certificate of the user. 

35. (Previously Presented) A method of automatically obtaining a second certificate for a user in 
a Public Key hifirastructure (PKI) enterprise using a first certificate, the method comprising: 

accessing a server platform using a user's server and the first certificate of the user to 
create a connection that authenticates both the user's server identity via a server certificate of the 
user server and the user's identity via the user's first certificate; 

tracking a pedigree of the user's first certificate; 

accessing a registration web page having a level of security that is commensurate with the 
pedigree of the user's first certificate; 

creating a secure data channel between the server platform and the user server; 
forwarding a request for the second certificate from the user server to the server platform; 

and 
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generating at the server platform the second certificate. 

36. (Previously Presented) The method of claim 35, vv^herein the first certificate comprises a 
signature certificate. 

37. (Previously Presented) The method of claim 35, wherein the second certificate comprises an 
encryption certificate. 

38. (Previously Presented) The method of claim 35, v^herein the first certificate comprises an 
expiring signature certificate and the second certificate comprises a replacement signature 
certificate. 

39. (Previously Presented) The method of claim 35, wherein the first certificate comprises a 
signature certificate and the second certificate comprises a replacement encryption certificate. 

40. (Previously Presented) The method of claim 35, wherein the first certificate comprises a 
signature certificate and the second certificate comprises one of either the user's current 
encryption certificate or an expired encryption certificate of the user. 

41 . (Previously Presented) An apparatus for automatically obtaining a replacement certificate 
for a user in a Public Key Infi-astructxire (PKI) enterprise using a signature certificate, the 
apparatus comprising: 

a user server and a registration server, the user server accessing the registration server 
using the signature certificate of the user to create a connection that authenticates both the user's 
server identity via a server certificate of the user server and the user's identity via the user's 
signature certificate; 
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a secure data channel, the secure data channel being disposed between the registration 
server and the user server, the user server forwarding a request for the replacement certificate to 
the registration server through the secure data channel; 

a first authority, the registration server determining that the user is entitled to the 
replacement certificate and, upon said determination, revoking a certificate which the 
replacement certificate is replacing and forwarding a request to the first authority to generate a 
private/public key pair associated with the replacement certificate, the first authority sending the 
private key to the user via the secure data channel; 

a second authority, the first authority sending the public key to the second authority to be 
signed; and 

a directory, the second authority forwarding the replacement certificate to the directory. 
42-43. (Cancelled) 

44. (Previously Presented) The apparatus of claim 41, wherein the first certificate comprises an 
expiring signature certificate and the second certificate comprises a replacement signature 
certificate. 

45. (Previously Presented) The apparatus of claim 41, wherein the second certificate comprises a 
replacement encryption certificate. 

46. (Cancelled) 

47. (Previously Presented) An apparatus for automatically obtaining a second certificate for a 
user in a Public Key Lxfrastructure (PKI) enterprise using a signature certificate, the apparatus 
comprising: 

a user server and a server platform, the user server accessing the server platform using the 
first signature certificate of the user to create a connection that authenticates both the user*s 
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server identity via a server certificate of the user server and the user's identity via the user's 
signature certificate; 

a secure data channel, the secure data channel being disposed between the server platform 
and the user server and being encrypted using the signature certificate; 

the user server forwarding a request for the second certificate to the server platform; and 
the server platform generating the second certificate. 

48. (Cancelled) 

49. (Previously Presented) The apparatus of claim 47, wherein the second certificate comprises 
an encryption certificate. 

50. (Previously Presented) The apparatus of claim 47, wherem the signature certificate 
comprises an expiring signature certificate and the second certificate comprises a replacement 
signature certificate. 

51. (Previously Presented) The apparatus of claun 47, wherein the second certificate comprises a 
replacement encryption certificate. 

52. (Previously Presented) The apparatus of claim 47, wherein the second certificate comprises 
one of either the user's current encryption certificate or an expired encryption certificate of the 
user. 

53. (Previously Presented) The method of claim 28, further comprising revoking the first 
certificate upon determining that the user is entitled to the second certificate. 

54. (Previously Presented) The method of claim 53, further comprising signaling both the 
directory and the another authority that the first certificate has been revoked. 
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55. (Previously Presented) The method of claim 28, wherein accessing a registration server 
comprises tracking a pedigree of the user's first certificate to access a registration web page 
having a level of security that is commensurate with the pedigree of the user's first certificate. 

56. (Previously Presented) The method of claim 30, wherein the second certificate is an 
encryption certificate, and wherein creating a secure data channel comprises encrypting a 
transmission between registration server and the user server using the signature certificate. 

57. (Previously Presented) The method of claim 35, wherein the server platform is a key 
recovery authority, and wherein the second certificate is one of a current encryption certificate 
and an expired encryption certificate. 

58. (Previously Presented) The method of claim 35, fiirther comprising determining in the server 
platform that the user is entitled to the second certificate by ensuring that the user is still a 
member of the PKI enterprise and ensuring that the user does not akeady have the second 
certificate. 

59. (Previously Presented) The method of claim 58, further comprising revoking the first 
certificate upon determining that the user is entitled to the second certificate. 

60. (Currently Amended) The method of claim 59, further comprising signaling both ^ a 
directory and th e another a certificate authority that the first certificate has been revoked. 

61 . (Previously Presented) The method of claim 35, wherein the second certificate is an 
encryption certificate, and wherein creating a secure data channel comprises encrypting a 
transmission between registration server and the user server using the signature certificate. 
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62. (Previously Presented) The apparatus of claim 41, wherein the registration server comprises 
a plurality of registration web pages, each of the plurality of registration web pages having a 
level of security, a given one of the plurality of registration web pages being accessible to a 
given user in the PKI enterprise upon a pedigree of the given user's signature certificate being 
commensurate with the respective level of security. 

63. (Previously Presented) The apparatus of claim 41, wherein the secure data channel is 
encrypted using the signature certificate. 

64. (Previously Presented) The apparatus of claim 47, wherein the server platform comprises a 
plurality of registration web pages, each of the plurality of registration web pages having a level 
of security, a given one of the plurality of registration web pages being accessible to a given user 
in the PKI enterprise upon a pedigree of the given user*s signature certificate being 
commensurate with the respective level of security. 

65. (Previously Presented) The apparatus of claim 47, wherein the server platform determines 
whether the user is entitled to the second certificate by ensuring that the user is still a member of 
the PKI enterprise and by ensuring that the user does not already have the second certificate upon 
the user server forwarding the request for the second certificate. 

66. (Previously Presented) The apparatus of claim 47, wherein the server platform revokes the 
signature certificate upon the server platform generating the second certificate. 

67. (Previously Presented) The apparatus of claim 47, wherein the server platform is a key 
recovery authority, and wherein the second certificate is one of a current encryption certificate 
and an expired encryption certificate. 
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